Central Deployment of Hotfixes and Version Upgrades

Introduction

Use Central Deployment in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to perform batch deployment of:

Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulators and Hotfixes on Security Gateways and Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members.
Upgrade Packages on Security Gateways, Cluster Members, Log Servers and secondary management.
Uninstall Jumbo Hotfix Accumulators and Hotfixes.

You can Deploy a Hotfix or Upgrade Package from:

The Check Point Cloud.
The Package Repository Collection of software packages that were uploaded to the Management Server. You can easily install these packages in SmartConsole on the managed Security Gateways. on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

First, you must upload the applicable package to the Package Repository. See Adding a package to the Package Repository.

To use Central Deployment through the API, see the Check Point Management API Reference.

Best Practice - Use the Package Repository on the Management Server if the target's connectivity to the Management Server is better than the target's connectivity to the cloud, or if the target is overloaded with traffic.

Note - You can select up to 30 Security Gateways and Cluster Members, but installation can take place only on 10 targets at the same time. The Management Server places each target above the 10th in a queue. Each time an installation completes on one of the targets, the Management Server installs it on the next target in the queue.

Some Security Gateways have Recommended Hotfixes. See the Recommended Jumbo column in the Gateways & Servers view:

You can deploy a Recommended Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. or a specific Jumbo Hotfix Accumulator take.

Prerequisites

To use Central Deployment:

The administrator must have SmartUpdate Legacy Check Point GUI client used to manage licenses and contracts in a Check Point environment. write permission on the Management Server.
The latest build of the CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. Deployment Agent must be installed on the target Security Gateways and Cluster Members or on the Management Server.
SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. must already be established between the Management Server and the target Security Gateways and Cluster Members.
A policy must be installed on the target Security Gateways and Cluster Members.
Only full clusters can be selected (you cannot select one cluster member Security Gateway that is part of a cluster.).

To use Central Deployment directly from the Check Point Cloud:

The Management Server must be able to connect to the Check Point Cloud.
The target Security Gateways and Cluster Members must be able to connect to the Check Point Cloud.

Limitations

Upgrade from the R80.30, R80.20, and R80.10 versions (to upgrade from these versions to a higher version, use the CPUSE in-place upgrade).
Central Deployment does not support:
- Connecting from SmartConsole to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. through a proxy server.
  In this case, use the applicable API command.
- ClusterXL in Load Sharing mode.
- VRRP Cluster.
- Security Group in Maestro.
- Security Group on Scalable Chassis 40000 / 60000.
- ElasticXL Cluster.
- For Centrally Managed Quantum Spark Appliances running Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Embedded operating system:
  - Downloading the package from the Check Point Cloud. You must manually add the required package to the Package Repository on the Security Management Server.
  - When using SmartConsole Central Deployment to install a firmware package of the same version, but of a lower build number than is already installed on a Quantum Spark appliance, the "Verify" action does not compare the firmware build numbers. Therefore, SmartConsole shows that "The package is valid for installation", while in fact, the installation will fail by design.
- On Multi-Domain Servers, SmartConsole connected to the Global Domain, or the Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. context.

Installation

Adding a package to the Package Repository

From the left navigation panel, click Manage & Settings.
From the left tree, click Package Repository.
Click New and select one of these options:
- Download from cloud - To download the package to the Package Repository from the Check Point Cloud, paste the package CPUSE identifier and click Download.
- Upload from local - To upload the package to the Package Repository from your device, browse to the applicable package and click Open.
After the download or upload is complete, the package appears in the Package Repository window in SmartConsole > Manage & Settings view.

Notes:

Add one package to the repository at a time.
For Quantum Spark Appliances that run Gaia Embedded OS R80.20.xx and higher, you must download a special TAR package (that contains the firmware image and the required configuration file hf.config) and use the "Upload from local" option.
When you upload a package to the Package Repository in a Multi-Domain environment:
- You can upload the package to the Global Domain. In this case, you can see the uploaded package from all Domains and install it on the Domain or Domains of your choice.
- You can upload the package to a specific Domain. In this case, you can see the package and install it only on that specific Domain.

Installing a Hotfix or Upgrade Package on multiple Security Gateways or Cluster Members

Warning - Before you install firmware on a Quantum Spark appliance that runs Gaia Embedded OS, you must disconnect any external storage from the USB port (at the minimum, make sure that the external storage does not contain firmware images for Quantum Spark appliances).

Best Practice - Central deployment of Hotfixes or upgrade packages on the Security Management Server relies on the status reports from the managed Gaia servers. Therefore, we recommend to wait for two minutes after the Gaia server is up and running before you install a Hotfix or upgrade package.

From the left navigation panel, click Gateways & Servers.
Select the target Security Gateways or Cluster Members for deployment.

To select multiple targets, press and hold the CTRL key.

To upgrade Cluster Members, select the cluster object.
From the toolbar menu, click Actions and select one of these options:
- Install Hotfix/Jumbo
- Version Upgrade
The Install Hotfix or Version Upgrade window opens, and shows information about the selected targets and their corresponding recommended Hotfix or Upgrade Package.

If you selected "Install Hotfix/Jumbo", in the "Hotfix/Jumbo" section, select one of these options:

Install the Recommended Hotfix/Jumbo

or

Install a Specific Hotfix/Jumbo

Note - If there is no recommended Jumbo Hotfix Accumulator for the selected targets, this option is grayed out. If a recommended Jumbo Hotfix Accumulator applies only to some of the selected targets, the deployment takes place only for those targets.

Enter the Hotfix file name.

You can copy the Hotfix file name from the applicable SK article to the Install Specific Hotfix text box.

Note - Use the field "Install a Specific Hotfix/Jumbo" to install a firmware package on Quantum Spark Appliances that run Gaia Embedded OS R80.20.xx and higher. The Management Server considers firmware packages based on the same main version as Jumbo Hotfixes. For example, all firmware packages R81.10.XX are based on the main version R81.10.

Example for a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. R80.20:

Click the search icon next to the text box to find the available package.

In the Gateways section, you see the targets you selected for installing the package.
In the Settings section, select the applicable option for the High Availability cluster:
- Install on all cluster members - Installs the selected package on all members in this cluster (active and standby). This can cluster failover and interrupt the traffic.
- Install on non-active members only - Installs the selected package only on standby cluster members.
  - Once installation is complete, turn non-active member to active - Changes the cluster state of a standby cluster member to active.
In the Advanced section, select where the Security Gateway downloads package from:
- Automatic - If the package is in the Package Repository, the Management Server transfers it to the Security Gateway. If the package is not in the Package Repository, the Security Gateway downloads it from the Check Point Cloud.
- Gateway - The Security Gateway downloads the package from the Check Point Cloud. The Security Gateway must be connected to the Internet.
- Management - The Security Gateway downloads the package from the Management Server.
At the bottom, click Verify.

The verification process starts. The verification process makes sure that the selected Hotfix or Upgrade Package can be installed on the targets. The verification process makes sure this package does not override other installed Hotfixes and that enough free disk space is available for the process to complete.

To see the progress of the verification process open the Tasks view in the bottom left corner of SmartConsole and click Details.

Example:
Click Install.
Central Deployment makes sure that Access Control Policy is installed.
After the installation is complete, you must install the applicable Threat Prevention policy on the target Security Gateways and Clusters.

Notes:

If different targets have different recommended Hotfixes or Upgrade Packages, each target gets its applicable recommended Hotfix or Upgrade Package.
Before you install a firmware on a Quantum Spark appliance that runs Gaia Embedded operating system, you must disconnect an external storage from the USB port (at minimum, make sure it does not contain firmware images for Quantum Spark appliances).

Uninstalling a Hotfix or a Jumbo Hotfix Accumulator

To uninstall a Hotfix or a Jumbo Hotfix Accumulator

From the left navigation panel, click Gateways & Servers.
Select the target Security Gateways or Cluster Members for deployment.

To select multiple targets, press and hold the CTRL key.

To uninstall the package on Cluster Members, select the cluster object.
From the toolbar menu, click Actions and select Uninstall Hotfix/Jumbo.

The Uninstall Hotfix/Jumbo window opens.
In the Hotfix/Jumbo section, enter the Hotfix/Jumbo to uninstall.
In the Gateways section, see the targets you selected for uninstalling the Hotfix or Jumbo Hotfix Accumulator.
At the bottom, click Verify.

The verification process starts. The verification process makes sure all necessary conditions are met so that the selected Hotfix or Jumbo Hotfix Accumulator can be uninstalled from the targets.

To see the progress of the verification process open the Tasks view in the bottom left corner of SmartConsole and click Details.
Click Uninstall.

How the Central Deployment Upgrades a Cluster

When you use the Central Deployment to install a software package on all members of a ClusterXL in High Availability mode or VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster (non-VSLS), the Central Deployment follows these steps:

Verifies that the states of the Cluster Members are valid (Active and Standby).
Prepares the Access Control Policy for the Cluster:
1. Changes the version in the Cluster object.
2. Changes the applicable configuration settings and Access Control Policy.
Upgrades the Standby Cluster Member to the new version.
Runs a Multi-Version Cluster (MVC):
1. Makes sure the upgraded Cluster Member is in the Standby or Ready state.
2. Performs cluster failover to one of the upgraded Cluster Members.
Upgrades the former Active Cluster Member.
Verifies that the states of the Cluster Members are valid (Active and Standby).